On Tue, 2011-06-07 at 08:52 -0500, Matt Brookings wrote:
> >> + /*
> >> + vpopmail 5.4 does not understand IPv6
> >> + */
> >> +
> >> + if (!(strcmp(host, "::1")))
> >> + host = "127.0.0.1";
> >
> > Does this code really matter? Wouldn't SMTP relay be open from localhost
> > always anyway?
>
> Unfortunately, the 5.4 branch does not understand "::1" as the loopback,
> and it parses the value incorrectly, leading to an open relay situation.
> Not all systems allow localhost to relay via SMTP without authentication.
Doesn't it also mean that if someone connects via a remote IPv6 address,
it again leads to open relay? How about the attached patch instead?
diff -r ed05316ed441 src/auth/passdb-vpopmail.c
--- a/src/auth/passdb-vpopmail.c Tue Jun 07 16:12:13 2011 +0300
+++ b/src/auth/passdb-vpopmail.c Tue Jun 07 16:57:03 2011 +0300
@@ -136,11 +136,12 @@
return;
}
-#ifdef HAVE_VPOPMAIL_OPEN_SMTP_RELAY
+#ifdef POP_AUTH_OPEN_RELAY
if (strcasecmp(request->service, "POP3") == 0 ||
strcasecmp(request->service, "IMAP") == 0) {
const char *host = net_ip2addr(&request->remote_ip);
- if (host != NULL) {
+ /* vpopmail 5.4 does not understand IPv6 */
+ if (host != NULL && IPADDR_IS_V4(&request->remote_ip)) {
/* use putenv() directly rather than env_put() which
would leak memory every time we got here. use a
static buffer for putenv() as SUSv2 requirements
